phpmyadmin/url.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * URL redirector to avoid leaking Referer with some sensitive information.
   5  *
   6  * @package PhpMyAdmin
   7  */
   8
   9 /**
  10  * Gets core libraries and defines some variables
  11  */
  12 define('PMA_MINIMUM_COMMON', true);
  13 require_once './libraries/common.inc.php';
  14 /**
  15  * JavaScript escaping.
  16  */
  17 require_once './libraries/js_escape.lib.php';
  18
  19 if (! PMA_isValid($_REQUEST['url'])
  20     || ! preg_match('/^https?:\/\/[^\n\r]*$/', $_REQUEST['url'])
  21     || ! PMA_isAllowedDomain($_REQUEST['url'])
  22 ) {
  23     header('Location: ' . $cfg['PmaAbsoluteUri']);
  24 } else {
  25     // JavaScript redirection is necessary. Because if header() is used
  26     //  then web browser sometimes does not change the HTTP_REFERER
  27     //  field and so with old URL as Referer, token also goes to
  28     //  external site.
  29     echo "<script type='text/javascript'>
  30             window.onload=function(){
  31                 window.location='" . PMA_escapeJsString($_REQUEST['url']) . "';
  32             }
  33         </script>";
  34     // Display redirecting msg on screen.
  35     // Do not display the value of $_REQUEST['url'] to avoid showing injected content
  36     echo __('Taking you to the target site.');
  37 }
  38 die();